Description

The app-loading refactor has deprecated importing a model which is not in the installed apps #21680. This leads to some incompatible defaults in the global settings defaults. In the defaults INSTALLED_APPS is empty but MIDDLEWARE_CLASSES contains 'django.contrib.sessions.middleware.SessionMiddleware' and 'django.contrib.auth.middleware.AuthenticationMiddleware' which rely on the related apps being in the INSTALLED_APPS. Since most users create their initial settings via startproject this isn't an issue but it still makes for a poor default. It also implies a coupling or dependency between Django core and contrib.auth and contrib.sessions which doesn't actually exist.

My recommendation would be to remove any contrib middleware from the MIDDLEWARE_CLASSES in the global settings but continue to set them in the startproject template which also sets an appropriate INSTALLED_APPS setting. Since this setting is created by default in startproject I don't think this raises any major backwards incompatibility issues.

I would personally rather fix them piecewise at least on the ticket basis. I know there are larger movements within the community to try to remove or simplify the settings (there are currently 6 settings just for the CSRF cookie) but sweeping changes are difficult to move through the process. Waiting on a more general solution to global settings is letting better be the enemy of done. To me this is a clear inconsistency which is simple to fix and document, it's unlikely to impact many users and some (though not all) of the rare users who might be bitten by this change can be warned through the system checks.

Yes if you have a runtests.py for a reusable app which doesn't include contrib.auth or contrib.sessions in the INSTALLED_APPS and doesn't change the MIDDLEWARE_CLASSES but does hit a view by running through the middleware stack (i.e with the test client) you'll see these deprecation warnings. With this change you'll instead see the system check which for 1.7 at least is louder then the RemovedInDjango19Warning. The fix for it in either way is to be explicit about the required set of MIDDLEWARE_CLASSES for running the tests and if you need the auth or session middleware then those should be in the INSTALLED_APPS as well.